DEV: Audit dependency licenses with License Finder (PR #13590)

Add a GitHub Action workflow to run license_finder, as well as some license decisions.

The new workflow YAML is based on the linter workflow.

I expect this to fail CI when I submit.

GitHub

So it looks like a starter configuration for a different tool, GitHub’s licensed, was added back in d58360f72e2b316fe542a97df71d21aa6583e1b4. But that tool isn’t in Gemfile, and I don’t see it invoked in any scripts. Investigating.

So it looks like a starter configuration for a different tool, GitHub’s licensed, was added back in d58360f. But that tool isn’t in Gemfile, and I don’t see it invoked in any scripts. Investigating.

I added back a few years back when you asked to a dependency check. It is not automated in anyway as it was an ad-hoc thing at the time.

Cool so we can remove that old tool and use the one @kemitchell prefers?

It’s looking like GitHub licensed may actually be the way to go. I’ll get back to you

Cool so we can remove that old tool and use the one @kemitchell prefers?

Yeah, I just committed the file to save us of the hassle of configuring this, but I have no strong opinions on this.

I’ve just force-pushed a redo using GitHub’s licensed for RubyGems and licensee for npm packages.

GitHub publishes an opinionated Action for running licensed. The approach there commits the cache files licensed creates within the repository. I’d rather not clutter the repo with those files, even in a dotfolder. In any event, generating the cache from nil takes a few seconds on my old laptop.

More troublingly, licensed seems to have trouble recognizing licenses for some RubyGems. In particular, it reports several gems as having an “other” license, when in fact it can see license data, and reports “MIT-SOURCE” in its cache files. I don’t know why it does this. And it’s easy enough to just approve those gems in .licensed.yml. But I’m worried it will produce annoying numbers of CI failures as folks add gems.

I also expect licensee, the checker for npm, to fail on first run, reporting a package with undefined name and version. This is on account of jquery.autoellipsis, which we’re currently installing from GitHub, rather than from npm. That repository doesn’t have a package.json file. If you try to install with npm install, it will fail for that reason. But Yarn happily installs modules without manifests into node_modules.

I’m very tempted to just publish that jQuery module to npm with a proper manifest. The code hasn’t been touched for nine years.